Employees are prepared to steal company data!

In a previous post, I had talked about two employees who are charged with having allegedly gained access to their former employer’s network even though they had left the company a couple of years before.

This week a former employee with United Way in Miami was sentenced to 18 months in jail and fined $50,000 for accessing his former employer’s network and deleting files from the servers as well as putting a few spokes in the company’s telephone voice mail system.

There seem to be a growing trend among employees – disgruntled or not, current or past – who believe that they can do what they want with their employers’ data. Two separate studies this week revealed that although employees know that it is illegal to steal or tamper with company data, they are still prepared to do it nonetheless.

The two studies also found that companies are not doing much about the problem, even though they are aware that employees are a major threat to their data. Earlier this year, GFI conducted a survey in the UK, US and France and the results in all three countries showed that internal threats are being given very little priority with less than 20% of respondents stating that internal threats are a concern.

The statistics from the latest studies complement the findings of another survey by the Ponemon Institute earlier this year. Four in 10 employees admit to having taken sensitive data with them to a new position while one third said they would share sensitive data with friends or family in order to help them get a new job. Nearly half said they would steal data if they were dismissed tomorrow from their job.

So a good chunk of the workforce is willing to steal data to further their goals and position; thus you would expect the data owners to be a bit concerned. But no, employers appear to have their heads buried as deep as possible in the sand. They know it is happening; they know they are at risk and still they are not doing anything about it. Great news and a real confidence booster.

With so many channels of opportunity for data leakage, this attitude is baffling.

Here are a few of the most obvious methods:

•Use of insecure USB memory sticks

•Use of web-based personal email

•Applications downloaded from the Internet

•Sharing passwords with co-workers or friends

•Mobile devices, such as laptops, PDAs, smart phones etc

Most organizations will tell you that corporate data is extremely important and that secure data is not something to ignore or treat lightly. Securing data calls for a combination of measures using technology and security policies. There are some basic rules that all organizations must follow to secure their data and these include:

Monitor and manage the use of portable storage devices by employees. If you don’t know what devices are connected to the network and by whom, the risk of data leakage is high.

Limit access to those who need it. Data categorization and a thorough audit of access permissions is a must. You need to know who had access to data, why that individual has been granted access and whether that person is a single point of failure (e.g. only an administrator has the password to the customer databases).

Use content filtering software. Scanning outbound corporate email is a must to prevent business confidential attachments – such as customer lists, financial details, marketing plans, from being sent outside of the organization. Access to web-based email accounts should be banned because these are insecure and increase the risk of data leakage and other vulnerabilities. Files can be transferred using web-based email without detection.

Know where the data is. Organizations need to have complete control over their data and how it is transferred within and outside the building.

Organizations cannot continue to ignore the obvious. Yet with survey after survey showing that they don’t really care, is it surprising that employees are becoming more confident that they won’t be caught?

I don’t think so.

If businesses won’t do anything, someone else will! The state of Massachusetts is a case in point. As of March 2010 businesses will have to comply with state regulations that make it harder for confidential and sensitive data to be stolen. The regulations were drafted to counter a breach similar to what happened at TJX but should also help to counter any insider attempts at stealing data.

Hopefully.

In a previous post, I had talked about two employees who are charged with having allegedly gained access to their former employer’s network even though they had left the company a couple of years before.

This week a former employee with United Way in Miami was sentenced to 18 months in jail and fined $50,000 for accessing his former employer’s network and deleting files from the servers as well as putting a few spokes in the company’s telephone voice mail system.

There seem to be a growing trend among employees – disgruntled or not, current or past – who believe that they can do what they want with their employers’ data. Two separate studies this week revealed that although employees know that it is illegal to steal or tamper with company data, they are still prepared to do it nonetheless.

The two studies also found that companies are not doing much about the problem, even though they are aware that employees are a major threat to their data. Earlier this year, GFI conducted a survey in the UK, US and France and the results in all three countries showed that internal threats are being given very little priority with less than 20% of respondents stating that internal threats are a concern.

The statistics from the latest studies complement the findings of another survey by the Ponemon Institute earlier this year. Four in 10 employees admit to having taken sensitive data with them to a new position while one third said they would share sensitive data with friends or family in order to help them get a new job. Nearly half said they would steal data if they were dismissed tomorrow from their job.

So a good chunk of the workforce is willing to steal data to further their goals and position; thus you would expect the data owners to be a bit concerned. But no, employers appear to have their heads buried as deep as possible in the sand. They know it is happening; they know they are at risk and still they are not doing anything about it. Great news and a real confidence booster.

With so many channels of opportunity for data leakage, this attitude is baffling.

Here are a few of the most obvious methods:

Use of insecure USB memory sticks

Use of web-based personal email

Applications downloaded from the Internet

Sharing passwords with co-workers or friends

Mobile devices, such as laptops, PDAs, smart phones etc

Most organizations will tell you that corporate data is extremely important and that secure data is not something to ignore or treat lightly. Securing data calls for a combination of measures using technology and security policies. There are some basic rules that all organizations must follow to secure their data and these include:

Monitor and manage the use of portable storage devices by employees. If you don’t know what devices are connected to the network and by whom, the risk of data leakage is high.

Limit access to those who need it. Data categorization and a thorough audit of access permissions is a must. You need to know who had access to data, why that individual has been granted access and whether that person is a single point of failure (e.g. only an administrator has the password to the customer databases).

Use content filtering software. Scanning outbound corporate email is a must to prevent business confidential attachments – such as customer lists, financial details, marketing plans, from being sent outside of the organization. Access to web-based email accounts should be banned because these are insecure and increase the risk of data leakage and other vulnerabilities. Files can be transferred using web-based email without detection.

Know where the data is. Organizations need to have complete control over their data and how it is transferred within and outside the building.

Organizations cannot continue to ignore the obvious. Yet with survey after survey showing that they don’t really care, is it surprising that employees are becoming more confident that they won’t be caught?

I don’t think so.

If businesses won’t do anything, someone else will! The state of Massachusetts is a case in point. As of March 2010 businesses will have to comply with state regulations that make it harder for confidential and sensitive data to be stolen. The regulations were drafted to counter a breach similar to what happened at TJX but should also help to counter any insider attempts at stealing data.

Hopefully.

About the Author: David Kelleher

David Kelleher has over 20 years’ experience in media and communications, he has written extensively for business and tech publications and is an editor and regular contributor to the GFI blog.

While the erosion of employee ethics in the workplace is lamentable in these times, one must wonder how much companies contibute to the sorry state of affairs. Is it any wonder that workers behave the way they do when they observe coworkers, sometimes in a matter of hours, turned from trusted colleagues into so-called security threats who must be escorted from their cubicles by a pair of no-neck rent-a-cops? Expectation is a curious thing. If employees are treated like crooks, then chances are they’ll act like crooks. In one of the recent studies (http://datacenterjournal.com/component/option,com_content/task,view/id,3376/), one of the findings was that 57 percent of the respondents said it was easy to nick sensitive data from under their bosses’s noses. Only 29 percent said that last year. With the increased attention companies are giving to security concerns, that finding should make managers wonder whether ripping off proprietary information is getting easier, or it has always been easy and employees are now just noticing how easy it is.

Data theft is really a problem that can be avoided using technology. Some methods are difficult to implement and quite expensive, but a lot of them really accessible. Every enterprise should be aware of this and put in place the restrictions that are at their reach. For example, if you have windows vista or above it’s quite simple to control USB ports which are one of the most common methods for data theft.
Information is today’s most valuable asset and in the IT department is the key to protect it. So we can not only help the business, but we can also place the department as a strategic part of it.

Rafael October 29, 2011 at 12:10 am

any law to protect us once the employee has done it?

David Kelleher October 31, 2011 at 10:38 am

Hi Rafael. Every organization should seek legal advice if a data breach occurs. Depending on the severity of the breach, whether the culprits have been identified, and so on, a number of external sources may become involved – eg. the police, insurance companies. There are many laws and regulations that protect a company’s interests and the organization’s legal team would be aware of them and can advise how to proceed should data be stolen.